February 15, 2024 at 09:51AM
A recent AppSec survey found that costly code reviews, limited security scrutiny, and manual cataloging of applications and APIs are common issues. Only 54% of major code changes undergo full security reviews, and organizations face challenges with the time and cost of the review process. The survey also highlights the reliance on documentation and spreadsheets for cataloging, as well as the complexity introduced by multiple programming languages. CrowdStrike stresses the importance of rethinking traditional approaches to application security and addressing challenges with manual processes, time-consuming reviews, and prioritization of security issues.
Let me know if you need any further assistance.
Key takeaways from the meeting notes:
1. Only 54% of major code changes undergo a full security review, and 44% of organizations review less than half of the code changes.
2. Security reviews are time-consuming, with 81% of organizations needing more than one business day to conduct the review.
3. The cost of security reviews is high, with an average organization spending an estimated 62 business days’ worth of security reviews each week, resulting in an annual cost of over $1 million.
4. Organizations heavily rely on documentation and spreadsheets for creating application and API catalogs and inventories, which can lead to potential errors.
5. Programming language sprawl complicates the job of application security professionals, especially in organizations that deploy updates frequently and use multiple programming languages.
6. The use of multiple tools for vulnerability detection and prioritization makes it difficult for organizations to correlate alerts between them.
7. Prioritizing what to fix and visibility are top challenges for most security professionals, with 70% stating that resolving a critical issue takes more than 12 hours.
8. CrowdStrike recommends organizations to rethink their approach to application security, as relying on manual processes, time-consuming security reviews, and juggling multiple security tools are driving up costs and slowing down security.